The financial services landscape is rapidly evolving, and one notable trend is banking as a service (BaaS). In BaaS, nonbanks (such as financial technology (fintech) companies) collaborate with banks to offer banking services without requiring a bank license. This approach allows for faster and more cost-effective delivery of banking services through digital channels. However, it also introduces compliance risks that need careful consideration.
In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders with two banks that collaborate with fintech companies to provide BaaS. These orders were prompted by safety and soundness concerns related to compliance with the Bank Secrecy Act (BSA), adherence to applicable laws and third-party oversight.
The FDIC’s scrutiny centered around the banks’ lack of adequate oversight of the anti-money laundering/countering the financing of terrorism (AML/CFT) regulatory compliance of their third-party partners.
These incidents are not isolated; a wave of regulatory fines has been levied against various institutions, underscoring the critical need to prioritize compliance in these relationships—from initial onboarding to ongoing monitoring throughout the partnership’s duration.
There is no one-size-fits-all approach to regulatory compliance. In BaaS partnerships, financial institutions and technology companies are separate entities that are third parties to each other. In any BaaS partnership, it is crucial for every party involved to establish a comprehensive and tailored compliance program. Each partner should understand which rules and regulations apply to their organization and build corresponding controls appropriate for their risk profile.
Compliance responsibilities should be explicitly outlined in the partnership contract to ensure that both partners are on the same page relative to risk management and compliance. The partnership agreement serves as a valuable tool for effective risk management.
To ensure that the BaaS partner is delivering on their compliance obligations, the counterpart should periodically monitor their partner’s performance and determine if the agreed-upon conditions of the contract are being met.
Parties involved in the BaaS relationship need to focus on gaining an understanding of how their partner is verifying the identity of the customer, assessing the risk of the customer relationship, monitoring for sanctions, and performing transaction monitoring to identify any illicit activities.
Fintech companies that offer bank-like products are typically subject to the Bank Secrecy Act and it’s imperative that they assess their risk profile in order to establish and execute a robust compliance program to prevent their products and services from being used for criminal activities. Where some fintech companies fall short, is placing reliance on their banking partners to perform their BSA duties on their behalf. Likewise, the Banking partners fall short by not properly monitoring the fintech companies’ BSA programs.
Remember that adherence to compliance standards is essential for maintaining trust and integrity within the financial industry. Effective third-party risk management plays a crucial role in ensuring the safety, reliability, and compliance of products and services by both parties involved to mitigate the potential financial and reputational damage.
BaaS offers convenience but demands rigorous risk management and compliance efforts to navigate the regulatory landscape. The recent third-party risk management interagency guidance released by the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency underscores the importance of navigating the regulatory landscape effectively.